Marriott has taken measures to investigate and address a data security
incident involving the Starwood guest reservation database. On November
19, 2018, the investigation determined that there was unauthorized
access to the database, which contained guest information relating to
reservations at Starwood properties* on or before September 10, 2018.

On September 8, 2018, Marriott received an alert from an internal
security tool regarding an attempt to access the Starwood guest
reservation database in the United States. Marriott quickly engaged
leading security experts to help determine what occurred. Marriott
learned during the investigation that there had been unauthorized access
to the Starwood network since 2014. The company recently discovered that
an unauthorized party had copied and encrypted information, and took
steps towards removing it. On November 19, 2018, Marriott was able to
decrypt the information and determined that the contents were from the
Starwood guest reservation database.

The company has not finished identifying duplicate information in the
database, but believes it contains information on up to approximately
500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information includes
some combination of name, mailing address, phone number, email address,
passport number, Starwood Preferred Guest (“SPG”) account information,
date of birth, gender, arrival and departure information, reservation
date, and communication preferences. For some, the information also
includes payment card numbers and payment card expiration dates, but the
payment card numbers were encrypted using Advanced Encryption Standard
encryption (AES-128). There are two components needed to decrypt the
payment card numbers, and at this point, Marriott has not been able to
rule out the possibility that both were taken. For the remaining guests,
the information was limited to name and sometimes other data such as
mailing address, email address, or other information.

Marriott reported this incident to law enforcement and continues to
support their investigation. The company has already begun notifying
regulatory authorities.

“We deeply regret this incident happened,” said Arne Sorenson,
Marriott’s President and Chief Executive Officer. “We fell short of what
our guests deserve and what we expect of ourselves. We are doing
everything we can to support our guests, and using lessons learned to be
better moving forward.”

“Today, Marriott is reaffirming our commitment to our guests around the
world. We are working hard to ensure our guests have answers to
questions about their personal information, with a dedicated website and
call center. We will also continue to support the efforts of law
enforcement and to work with leading security experts to improve.
Finally, we are devoting the resources necessary to phase out Starwood
systems and accelerate the ongoing security enhancements to our
network,” Mr. Sorenson continued.

Guest Support

Marriott has taken the following steps to help guests monitor and
protect their information:

Dedicated Website and Call Center

We have established a dedicated website (info.starwoodhotels.com
)
and call center to answer questions you may have about this incident.
The frequently-asked questions on info.starwoodhotels.com
may be supplemented from time to time. The call center is open seven
days a week and is available in multiple languages. Call volume may be
high, and we appreciate your patience.

Marriott is providing guests the opportunity to enroll in WebWatcher
free of charge for one year. WebWatcher monitors internet sites where
personal information is shared and generates an alert to the consumer
if evidence of the consumer’s personal information is found. Due to
regulatory and other reasons, WebWatcher or similar products are not
available in all countries. Guests from the United States who activate
WebWatcher will also be provided fraud consultation services and
reimbursement coverage for free. To activate WebWatcher, go to info.starwoodhotels.com
and click on your country, if listed, for enrollment.

Marriott is furnishing a Form 8-K with the SEC attaching a copy of this
press release and presenting certain other information with respect to
the incident.

Marriott International, Inc.
(NASDAQ: MAR
)
is based in Bethesda, Maryland, USA, and encompasses a portfolio of more
than 6,700 properties in 30 leading hotel brands spanning 129 countries
and territories. Marriott operates and franchises hotels and licenses
vacation ownership resorts all around the world. The company also
operates award-winning loyalty programs: Marriott Rewards®, which
includes The Ritz-Carlton Rewards®, and Starwood Preferred Guest®. For
more information, please visit our website at www.marriott.com
,
and for the latest company news, visit www.marriottnewscenter.com
.
In addition, connect with us on Facebook
and
@MarriottIntl on Twitter
and Instagram
.